Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and why. ...that's an awful lot of portsand exactly where is this firewall? I'm with Brian.. except I would probably not use the f word.. but I think I'd be going "okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums". Brian Desmond wrote: And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 4:30 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Well everyone, its fixed. Its something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, its always appreciated! Also, to everyone else that was experiencing this issue, Id be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fineI was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 1:34 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 12:19 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] PCs hang at "Applying computer settings" after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote: Finally..someone is also experiencing this problem. My DCs are Windows 2003 SP1 also. It seems to hang every 3-4 reboots. My first thought was DNS DNS.. but NetDiag, Repl, DCDiag, Nslookup all show no error. Nothing is reported in logs. It is not firewall. I have play with NetBIOS, changing Provider Order in Network Neighborhood-Advanced Settings..nada. This week has been quiet. If someone calls again I have ethereal setup and ready to capture. The thing about my environment is I do not manage the switches or router. I
Re: [ActiveDir] Change private IP on a cluster- In DNS, multiple computers can be named with the same name
Hi Jim, I agree with you and I do find technet article's that are unclear and are missing steps, however much of it is, that Microsoft has only 5 or 6 people creating that content and probably do not always test ( Or have very limited testing ) what they are listing. However, this section below makes a lot a sense. If you have a very flat domain, you probably would not have an issue. But if you have a large World Wide enterprise such as Microsoft, Cisco, Intel, Ford Motor Comany, GM, etc, with a very complex network and many DNS sub domains and childs, this may be an issue. ( Please read this sections ) Name collisions cannot occur when you use WINS. In a WINS environment, only one computer can be named SERVERA. In DNS, multiple computers can be named SERVERA. For example, one computer may be named SERVERA.EUROPE.DOMAIN.COM and another computer may be named SERVERA.AMERICA.DOMAIN.COM. If a user who is located in the AMERICA domain types \\SERVERA, they connect to SERVERA in the AMERICA domain. If a user who is located in the AMERICA domain wants to connect to SERVERA in the EUROPE domain, that user must specify the fully qualified domain name (FQDN) SERVERA.EUROPE.DOMAIN.COM. Some programs may only permit entries with a maximum of 15 characters for NetBIOS names. These programs may still work if a mechanism exists to avoid duplicate host names and if the DNS suffix list of domains is provided to all clients. Any one from Microsoft care to comment on this? Jose :-) -- - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 5:56 AM Subject: [ExchangeList] Re: Change private IP on a cluster- Reply-Reply http://www.msexchange.org --- Some articles are written with good intent, but bad information. I spend about 10% of my time getting those corrected. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Monday, June 05, 2006 10:13 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ExchangeList] Change private IP on a cluster- Reply-Reply http://www.msexchange.org ---Hi Jim, Are you sure that holds true on a clustered Exchange 2000 server? I recall from my Microsoft 2000 server clustering class at Quickstart Intelligence back in 2001, http://www.quickstart.com/courses/course.asp?cat=Windowstype=88course= 2087 that the instructor stated that both Exchange 2000 and SQL 2000 clustered was dependent on NETBIOS. Was this changed in a later service pack? Why would Microsoft create this article dated:Article ID : 837391 Last Review : March 30, 2006 Revision : 4.0 Jose :-) - - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 10:01 PM Subject: [ExchangeList] Re: Change private IP on a cluster- Reply http://www.msexchange.org ---Neither one had this dependency. Exch 2000 runs only on Win2K and Win2K3. Both of these OS prefer DNS to WINS for name resolution and if your network structure provides good DNS services, WINS is a non-issue for Exchange 2K+. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jose Medeiros Sent: Monday, June 05, 2006 9:56 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ExchangeList] Change private IP on a cluster- Reply http://www.msexchange.org ---Hi Jim, Looks like your post never made it to the Active Dir list. If I recall Exchange 2000 clustered still had dependencies on Wins, and I was told at a Microsoft Technet event that Exchange 2003 clustered no longer had this requirement, until I saw the Microsoft article that I pointed out http://support.microsoft.com/default.aspx?scid=kb;en-us;837391 . Jose - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Cc: [EMAIL PROTECTED] Sent: Monday, June 05, 2006 6:17 AM Subject: [ExchangeList] Re: Change private IP on a cluster http://www.msexchange.org ---837391 is getting changed. I'm putting in the technical update today. It's wrong Wrong, wrong, wrong. Wrgonggitty-wrong-wrong Wrong! WINS is *NOT* required for Exch functionality, but proper name resolution support in the network *IS* required. If you've built your network, name services clients properly, using a simple name gets you the same response as using FQDN in a ping command. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Hmm.. I'm surprised by that Susan. :) Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush. This is firewalled off from other networks within the trustednetworks (or not so trustedI suppose, since you did deploy a firewall.) I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and whythat's an awful lot of portsand exactly where is this firewall?I'm with Brian.. except I would probably not use the f word.. but I think I'd be going okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums. Brian Desmond wrote: And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 4:30 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Clay, Justin (ITS) Sent: Friday, June 02, 2006 2:31 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fine…I was able to drill down into all of the policies that I tried. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, June 02, 2006 1:34 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Any problems accessing \\domain\sysvol\domain\Policies ? On 6/2/06, Clay, Justin (ITS) [EMAIL PROTECTED] wrote: Hopefully the attachment comes through. The interesting part, and where most of the time delay is seen is here: USERENV(42c.2f0) 12:36:47:528 ProcessGPOs: Machine role is 2. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:37:50:606 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:38:54:371 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:39:58:027 MyGetUserName: Retrying call to GetUserNameEx in 1/2 second. USERENV(42c.2f0) 12:41:01:573 MyGetUserName: GetUserNameEx failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: MyGetUserName failed with 1753. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: No WMI logging done in this policy cycle. USERENV(42c.2f0) 12:41:01:573 ProcessGPOs: Processing failed with error 1753. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Friday, June 02, 2006 12:19 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 I think a different thread mentioned that DNS was about 90% of the cause of this type of behavior. It's not the only one however. What keeps rebooting? The DC? Or the workstations? If the workstations, not only ethereal but Darren's suggestion of logging is a good idea. On 6/2/06, Za Vue [EMAIL PROTECTED] wrote:
RE: [ActiveDir] User Logon Hour
Title: RE: User Logon Hour Hello all. Anyone can help me? Thank´s Atila _ From: Atila Firmino Sent: segunda-feira, 5 de junho de 2006 15:08 To: ActiveDir@mail.activedir.org Subject: User Logon Hour Hi everybody. How can I change user logon hours making bind directly to user object. Is this possible? I know that is possible using another object user as template. Thank´s Atila Firmino Essa mensagem é destinada exclusivamente ao seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional ou cuja divulgação seja proibida por lei. O uso não autorizado de tais informações é proibido e está sujeito às penalidades cabíveis.This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
Re: [ActiveDir] Change private IP on a cluster- In DNS, multiple computers can be named with the same name
I'm pretty sure Jim is familiar with those 5-6 people creating the content on a personal level;) FWIW, Exchange 2k is dependent on shortname resolution (AKA NetBIOS/WINS name res or in this case, good DNS name resolution practices) for some of it's components. Which ones? Setup was one notable. It checks. But after that, you *could* use Exchange 2K without WINS. There are other components that are coded to use shortname resolution, but WINS is not a requirement necessarily. Can be tricky if you don't have it though. If you think that good DNS resolution is going to solve the issue, however, that's not always the case so I'd argue that the kb err's on the side of caution. In the case detailed below, where you have multiple serverA's shortname doesn't work as expected. That could be a real problem for you. In that case WINS was/is a better choice IMHO. Not that I want to keep using WINS mind you. Al On 6/7/06, Jose Medeiros [EMAIL PROTECTED] wrote: Hi Jim,I agree with you and I do find technet article's that are unclear and aremissing steps, however much of it is,that Microsoft has only 5 or 6 people creating that content and probably do not always test( Or have verylimited testing ) what they are listing.However,this section below makes a lot a sense. If you have a very flatdomain, you probably would not have an issue. But if you have a large World Wide enterprise such as Microsoft, Cisco, Intel, Ford Motor Comany, GM, etc,with a very complex network and many DNS sub domains and childs, thismaybe an issue.( Please read this sections ) Name collisions cannot occur when you use WINS. In a WINS environment, only one computer can be named SERVERA. In DNS, multiple computers can benamed SERVERA. For example, one computer may be namedSERVERA.EUROPE.DOMAIN.COM and another computer may be named SERVERA.AMERICA.DOMAIN.COM. If a user who is located in the AMERICA domaintypes \\SERVERA, they connect to SERVERA in the AMERICA domain. If a userwho is located in the AMERICA domain wants to connect to SERVERA in the EUROPE domain, that user must specify the fully qualified domain name (FQDN)SERVERA.EUROPE.DOMAIN.COM. Some programs may only permit entries with amaximum of 15 characters for NetBIOS names. These programs may still work if a mechanism exists to avoid duplicate host names and if the DNS suffix listof domains is provided to all clients.Any one from Microsoft care to comment on this?Jose :-)-- - Original Message -From: Jim Harrison [EMAIL PROTECTED]To: [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 5:56 AMSubject: [ExchangeList] Re: Change private IP on a cluster- Reply-Reply http://www.msexchange.org --- Some articles are written with good intent, but bad information. I spend about 10% of my time getting those corrected. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jose Medeiros Sent: Monday, June 05, 2006 10:13 PM To: [EMAIL PROTECTED]; ActiveDir@mail.activedir.org Subject: [ExchangeList] Change private IP on a cluster- Reply-Reply http://www.msexchange.org ---Hi Jim, Are you sure that holds true on a clustered Exchange 2000 server?I recall from my Microsoft 2000 server clustering class at Quickstart Intelligence back in 2001, http://www.quickstart.com/courses/course.asp?cat=Windowstype=88course= 2087 that the instructor stated that both Exchange 2000 and SQL 2000 clustered was dependent on NETBIOS. Was this changed in a later service pack? Why would Microsoft create this article dated:Article ID : 837391Last Review : March 30, 2006Revision : 4.0 Jose :-) - - Original Message - From: Jim Harrison [EMAIL PROTECTED] To: [EMAIL PROTECTED] ; ActiveDir@mail.activedir.org Sent: Monday, June 05, 2006 10:01 PM Subject: [ExchangeList] Re: Change private IP on a cluster- Reply http://www.msexchange.org ---Neither one had this dependency. Exch 2000 runs only on Win2K and Win2K3. Both of these OS prefer DNS to WINS for name resolution and if your network structure provides good DNS services, WINS is a non-issue for Exchange 2K+. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Jose Medeiros Sent: Monday, June 05, 2006 9:56 PM To: ActiveDir@mail.activedir.org; [EMAIL PROTECTED] Subject: [ExchangeList] Change private IP on a cluster- Reply http://www.msexchange.org ---Hi Jim, Looks like your post never made it to the Active Dir list. If I recall Exchange 2000 clustered still had dependencies on Wins, and I was told at a Microsoft Technet event that Exchange 2003 clustered no longer had this requirement, until I saw
RE: [ActiveDir] sample vbs script
thanks _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Alain Lissoir Sent: Tuesday, June 06, 2006 7:25 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] sample vbs script Look at BLOCKED::http://www.lissware.net http://www.lissware.net, White Papers section, page 73, Sample 22, line 460 and 462. 459: 460:objUser.Put homeDirectory, \\ strAccountComputer _ 461:\ strUserID $ 462:objUser.Put homeDrive, cHomeDrive 463: February 2000 (Compaq Active Answers): BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understandi ng%20Microsoft%20WSH%20and%20ADSI%20in%20Windows%202000.pdf Part 1 - Understanding the Microsoft WSH and the ADSI in Windows 2000 BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part%201%20-%20Understandi ng%20Microsoft%20WSH%20and%20ADSI%20in%20Windows%202000%20(Scripts%20Kit).zi p (Script Kit) BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20power ful%20combination%20of%20WSH%20and%20ADSI%20under%20Windows%202000.pdf Part 2 - The powerful combination of WSH and ADSI under Windows 2000 BLOCKED::http://users.skynet.be/alain.lissoir/hp/Part%202%20-%20The%20power ful%20combination%20of%20WSH%20and%20ADSI%20under%20Windows%202000%20(Script s%20Kit).zip (Script Kit) _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio Aranda Sent: Tuesday, June 06, 2006 5:10 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] sample vbs script Thanks for the help so far But does any one know how to add the attribute Home Folder? Not the Local Path but the Connect: with letter drive using vbs script? Thanks Again Antonio Aranda attachment: winmail.dat
RE: [ActiveDir] Address List based on OU
Exactly, I dont want to have to be modifying the extensionAttribute EVERY time I add a new user to that specific OU. Unless, like what Al was saying, I could some how create a script, apply it to a GPO, that when the user logs in, it modifies their extensionAttribute based on their OU. -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Tuesday, June 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU I prefer a script that can be waked up to read that OU periodically and assure me to some degree that the objects contained are tagged as I expect them to be. ADMODIFY would like do it as well. I'm sure *somebody-who's-name-starts-with-j* would have a tool preference that would also do such a thing. Well, pretty sure anyway. :) On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: DamnI was trying to avoid using extensionAttribute Oh well.admodify.NET? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al Mulnick Sent: Tuesday, June 06, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead. Al On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: I have several sites that are sitting on one mailbox store but are located in different OU's. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] Logged in user
This works perfect! Thanks! -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, Bob Sent: Tuesday, June 06, 2006 5:24 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Logged in user psloggedon \\Computername http://www.sysinternals.com/Utilities/PsLoggedOn.html From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Harding, Devon Sent: Tuesday, June 06, 2006 10:55 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Logged in user Is there a Command line util., to remotely tell what user is logged into a PC? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: E2K3 ~ Deleted mailboxes
Does anyone know if there's a corresponding event id to a user's mailbox being purged from an Exchange server after the retention timeframe expires? I see event id 9535 showing the number of deleted mailboxes cleaned but I want to know if there's an event showing the actual names associated with mailboxes purged once past the retention date. Thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Address List based on OU
I hadn't really thought about putting it on the users to logon and do work. That's too much work to ensure they can update, that they logon, etc. I was thinking more like something in my provisioning code or putting a scheduled job out there that wakes up a couple of times a day and checks for the objects in that OU and for each that doesn't have the attribute set but lives in that OU, sets the attribute and logs it's actions. I don't trust users to do the work. :) On 6/7/06, Harding, Devon [EMAIL PROTECTED] wrote: Exactly, I don't want to have to be modifying the extensionAttribute EVERY time I add a new user to that specific OU. Unless, like what Al was saying, I could some how create a script, apply it to a GPO, that when the user logs in, it modifies their extensionAttribute based on their OU. -Devon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 7:17 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU I prefer a script that can be waked up to read that OU periodically and assure me to some degree that the objects contained are tagged as I expect them to be. ADMODIFY would like do it as well. I'm sure *somebody-who's-name-starts-with-j* would have a tool preference that would also do such a thing. Well, pretty sure anyway. :) On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: Damn…I was trying to avoid using extensionAttribute Oh well….admodify.NET? From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 3:05 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Address List based on OU You can't directly do that. To do that, you'll want to tag each of the users in that OU with some attribute and then create your AL based on that attribute instead. Al On 6/6/06, Harding, Devon [EMAIL PROTECTED] wrote: I have several sites that are sitting on one mailbox store but are located in different OU's. What LDAP query can I use to create an Exchange 2003 address list, based on users that are in a particular OU? -Devon --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you. --- This message (including any attachments) is intended only for the use of the individual or entity to which it is addressed and may contain information that is non-public, proprietary, privileged, confidential, and exempt from disclosure under applicable law or may constitute as attorney work product. If you are not the intended recipient, you are hereby notified that any use, dissemination, distribution, or copying of this communication is strictly prohibited. If you have received this communication in error, notify us immediately by telephone and (i) destroy this message if a facsimile or (ii) delete this message immediately if this is an electronic communication. Thank you.
RE: [ActiveDir] Virtual DCs
Title: Virtual DCs This is absolutely true. I know virtualization scares a lot of people, but the fact is that in some environments virtualizing systems saves a great deal of money and actually makes managing systems much easier (here it has reportedly saved a "significant" amount in hardware cost for the enterprise). I have been closely watching my Exchange servers ever since our AD side of the house started virtualizing DC's and with domain controllers running on ESX servers in an optimized configuration the performance is very close to hardware. I have noticed that in terms of LDAP performance that VM's are a tad bit slower then hardware, but that "tad" is well within the range of performance that applications like Exchange require. After over ayear of havingvirtualized DC's we have not had anyproblems with virtualizeddomain controllers (placed globally on ESX servers around the world). We do, however,work on the side of caution and do maintain a few hardware DC's in our HQ that own FSMO roles, but I've seennothing to suggest thatthey could not be on VM's to date (it's just a precaution). I have to admit at first I totally dismissed virtualization because I considered it, like others, as more of a development\test environment solution, however I have since been convinced after working with virtualized OS's that it has it's place (we have 100's if not 1000's of virtualized hosts currently in production). I/O intensive applications are not a good place for virtualization in production, but other less I/O intensive applications work great with it. Brian does have a point in that it has to be "done correctly" and with the right understanding of how to build a high performing virtualization environment it will work just fine for domain controllers\global catalog servers. Regards, Steven From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Brian DesmondSent: Wednesday, June 07, 2006 12:04 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs I have no problem with VMWare or Virtual Server DCs if done correctly. Frankly, 7K users is like pocket change if you ask me. Really, the users generate no load they logon to the PC and change their password. Things like Exchange (and OLK), machines, and other AD aware apps do. If properly written and the virtual hardware properly configured everything should still jive. If I had to make a one off guess with no more info Id say go for it. The price war with MS and EMC on virtualization has made this far more economical, and if youre going to be doing branches, you can play your sacred card and virtualize stuff and quasi isolate it. There have been a couple lengthy discussions on that subject recently Tony has a search widget on the website for this DL. :) Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, SteveSent: Tuesday, June 06, 2006 8:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Virtual DCs Ada, I am intrigued as to why "management" are directing you to do this. What benefits do they percieve? Do they understand the nature of the 2K3 directory and the load 7,000 users puts on it? This is not a criticism - just a curious thinking out loud moment... Personally - I wouldn't do it. Some would say a DC is a sacred thing, not to be toyed with. Proof of concept is always good in these scenarios... if you were to set this up in a lab, even with just two VMWare-ed DC's, you could show the overhead this would place on the machine and help them to understand the additional cost this will bring. Remember, a DC that is just a DC (AD, DNS, maybe DHCP) doesn't need to be a gutsy box - it can just be a PC rebuilt with Win2K3 server on it. However it does need to stay up all the time. ;) themolk. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rivera, AdaSent: Tuesday, 6 June 2006 9:51 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Virtual DCs We have a single domain forest with about 7,000 users. Currently we 8 AD regional sites and one HQ AD site. The regional sites each have a DC serving their local regional area and there are multiple DCs in our HQ site. The environment is currently running Windows 2000 SP4 and we are looking to upgrade our DCs to W2K3. The direction from management is that we will put all of our domain controllers on VM Ware when we upgrade the DCs to W2K3. Does anyone have any thoughts on this? Good or Bad idea?
[ActiveDir] LDAP Directory Server Path
My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ?LDAP://harry.org/DC=harry,DC=org ? I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\
[ActiveDir] AD integration/replication with OS in different languages
All, This may seem pretty straight forward, but I haven't been able to track down any definitive info anywhere, not even from Microsoft. We are looking at connecting a number of businesses within our region (Asia Pacific) to the same domain. No stress there - most of the DC's (where they exist) are all in some variant of English (all running Windows Server 2003). We have some businesses in China, however, that use the Chinese version of Windows Server 2003. What I am asking is do we need to do anything special (other than maybe install the chinese language packs on the english servers so we can read the characters they have entered as data for their accounts, etc) to have the directories integrate and not screw up replication or whatever? I do not believe so - it should all be the same, just a different character set responsible for some data entry so that will be copied but only readable with language packs installed. I just thought I would run it by the fonts of all knowledge here, as I am sure people have had similar issues that allow them to shed specific light on this dilemma. All help/pointers are greatly appreciated. Thanks! :) Steve Molkentin (themolk). Senior Network Engineer Information Services Team (Qld) ASSA ABLOY Asia Pacific (p) +61 (0)7 3373 5233 (m) +61 (0)401 709 405 http://www.assaabloyasiapacific.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] Please Remove Me From your List
I will be on vacation for two weeks .
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Egress filtering so that there's less ports for me to keep an eye on... those high level ports can be used for backdoors, trojans and what not... I live in California.. I have SSNs in an encrypted database... I have sucky vendors that won't support encryption... so I'm putting all the layers I can. I don't trust my secretary that 'has' downloaded malware on her machine (she's nonadmin these days along with many others in my firm). I have a tiny network in comparison to you guys (Joe would get claustrophobic just opening up the group policy snap in and seeing hardly anything in there) but each workstation has XP sp2 with the firewalls enabled..and believe you me... if some high level port is needed, I need, I want to know what the 'normal' baseline traffic is on my network.. should something change... that's a sign of a new piece of software.. or worse yet... malware, trojans, yadda yadda... and I'm having a heart attack and licking stamps on post cards informing clients of an intrusion. These days your interior trusted network can't be trusted anymore. The bad guys want my desktops.. and most of my risks in my sized network is coming in from those users.. not my server. Al Mulnick wrote: Hmm.. I'm surprised by that Susan. :) Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush. This is firewalled off from other networks within the trusted networks (or not so trusted I suppose, since you did deploy a firewall.) I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and why. ...that's an awful lot of portsand exactly where is this firewall? I'm with Brian.. except I would probably not use the f word.. but I think I'd be going okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums. Brian Desmond wrote: *And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 4:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 2:31 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Nope, I can get to them from the client PCs just fine…I was able to drill down into all of the policies that I tried. *From:* [EMAIL
RE: [ActiveDir] Please Remove Me From your List
where are you going? Can we come along? :-) From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ellis, DebbieSent: Wednesday, June 07, 2006 9:00 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Please Remove Me >From your List I will be on vacation for two weeks .
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
Besides .. if this is an interior firewall and you just opened up 1024-65535.. and chances are 0-1024 is already open... what are they good for now? What's their job now? Why does he even need them now in these deployments if the ports are open? Graphical views of malware as it streams across your network? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Egress filtering so that there's less ports for me to keep an eye on... those high level ports can be used for backdoors, trojans and what not... I live in California.. I have SSNs in an encrypted database... I have sucky vendors that won't support encryption... so I'm putting all the layers I can. I don't trust my secretary that 'has' downloaded malware on her machine (she's nonadmin these days along with many others in my firm). I have a tiny network in comparison to you guys (Joe would get claustrophobic just opening up the group policy snap in and seeing hardly anything in there) but each workstation has XP sp2 with the firewalls enabled..and believe you me... if some high level port is needed, I need, I want to know what the 'normal' baseline traffic is on my network.. should something change... that's a sign of a new piece of software.. or worse yet... malware, trojans, yadda yadda... and I'm having a heart attack and licking stamps on post cards informing clients of an intrusion. These days your interior trusted network can't be trusted anymore. The bad guys want my desktops.. and most of my risks in my sized network is coming in from those users.. not my server. Al Mulnick wrote: Hmm.. I'm surprised by that Susan. :) Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush. This is firewalled off from other networks within the trusted networks (or not so trusted I suppose, since you did deploy a firewall.) I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and why. ...that's an awful lot of portsand exactly where is this firewall? I'm with Brian.. except I would probably not use the f word.. but I think I'd be going okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums. Brian Desmond wrote: *And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down.* * * *Thanks,* *Brian Desmond* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 4:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 2:31 PM *To:* ActiveDir@mail.activedir.org
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
So... you watch those ports then? You have some sort of watching going on for that set of ports? Or are you just relying on the concept that, hey, nothing should be talking to that set of ports, hence I shouldn't see anything in my firewall logs (which I'm reviewing religiously by the way) therefore this must be something amiss and or awry? Detection of issues (with a lag time built in) vs. prevention? In the case of the original poster, the firewall is a separately controlled device that I believe is walling off one network of users from a network of servers. In this case, Active Directory servers. I'm just not sure why and I'm insanely curious. :) Al On 6/7/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Egress filtering so that there's less ports for me to keep an eye on...those high level ports can be used for backdoors, trojans and what not... I live in California.. I have SSNs in an encrypted database... Ihave sucky vendors that won't support encryption... so I'm putting allthe layers I can.I don't trust my secretary that 'has' downloaded malware on her machine (she's nonadmin these days along with many others in my firm).I have a tiny network in comparison to you guys (Joe would getclaustrophobic just opening up the group policy snap in and seeinghardly anything in there) but each workstation has XP sp2 with the firewalls enabled..and believe you me... if some high level port isneeded, I need, I want to know what the 'normal' baseline traffic is onmy network.. should something change... that's a sign of a new piece of software.. or worse yet... malware, trojans, yadda yadda... and I'mhaving a heart attack and licking stamps on post cards informing clientsof an intrusion.These days your interior trusted network can't be trusted anymore. The bad guys want my desktops.. and most of my risks in my sized networkis coming in from those users.. not my server.Al Mulnick wrote: Hmm.. I'm surprised by that Susan. :) Anyhow, why would you lock it down?I'm curious as to what the motivation is in this particular instance to use the firewall like that?What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush.This is firewalled off from other networks within the trusted networks (or not so trusted I suppose, since you did deploy a firewall.)I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and why. ...that's an awful lot of portsand exactly where is this firewall? I'm with Brian.. except I would probably not use the f word.. but I think I'd be going okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums. Brian Desmond wrote: *And fwiw you have some forgiving firewall people. I would have told you to f off and lock it down.* * * *Thanks,* *Brian Desmond* * [EMAIL PROTECTED] mailto:[EMAIL PROTECTED]* * * *c - 312.731.3132* * * *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 4:30 PM *To:* ActiveDir@mail.activedir.org mailto:ActiveDir@mail.activedir.org *Subject:* RE: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1 Well everyone, it's fixed. It's something that even MS is a bit surprised at, although they say they have seen it before. Essentially, the last year since this forest has been deployed, high ports (1024-65535) have been blocked at the firewall but for whatever reason, everything seemed to work fine. Installing SP1 apparently changed something, or fixed something that finally made it a requirement to have those high ports open. They opened 1024-65535 on our Checkpoint firewall and the login times instantly went from 4-8 minutes back down to the usual few seconds. It sucks to have to learn about things like this by killing a production environment for 4 hours and burning some Premiere Support hours, but at least we know what to look for when we upgrade some of our other domains to SP1! Thanks to everyone for all the suggestions and help, it's always appreciated! Also, to everyone else that was experiencing this issue, I'd be interested to know if a firewall or router ACL blocking high ports is the cause of the problem for you! *From:* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] *On Behalf Of *Clay, Justin (ITS) *Sent:* Friday, June 02, 2006 2:31 PM *To:*
Re: [ActiveDir] LDAP Directory Server Path
No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz [EMAIL PROTECTED] wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCsto2K3 SP1
Just curious..how does everyone handle RPC ports on your LAN? I reg. hacked all servers to use ports 5001-5099. The ports are than enabled with GPO and allowed only specific subnets to come through. I know..I have to manually keyed in all 100 entries. -Z.V. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] OT: E2K3 ~ Deleted mailboxes
Does anyone know if there's a corresponding event id to a user's mailbox being purged from an Exchange server after the retention timeframe expires? I see event id 9535 showing the number of deleted mailboxes cleaned but I want to know if there's an event showing the actual names associated with mailboxes purged once past the retention date. Thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] LDAP Directory Server Path
Thanks Al -When i type that into my web browser a search function come up -- should i be able to search for objects successfully using this ? because currently i get an error message.Also, the development staff is trying to create a form to authenticate users who login against AD. The path mentioned above is all they would need ? Even if this login authentication page is located in the DMZ ? Thanks,On 6/7/06, Al Mulnick [EMAIL PROTECTED] wrote: No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz [EMAIL PROTECTED] wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\ -- HBooGz:\
Re: [ActiveDir] Profile migration to new domain
Doesnt the Quest migration tool now claim to be able to migrate without any trusts? It's been a little while since I looked into any migration tools though so maybe my memory is slipping. Phil On 6/1/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Moveuser.exe is the tool that I would typically use for this to do it in a batch fashion. Just not sure if the lack of trust will be an issue, but probably worth a try. Its in the Reskit tools. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, June 01, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Profile migration to new domain Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Profile migration to new domain
I've been using it fo a while and it still requires trusts. It even has a Trust Migration Wizard that is run as part of their Pre-Migration Activities On 6/7/06, Phil Renouf [EMAIL PROTECTED] wrote: Doesnt the Quest migration tool now claim to be able to migrate without any trusts? It's been a little while since I looked into any migration tools though so maybe my memory is slipping. Phil On 6/1/06, Darren Mar-Elia [EMAIL PROTECTED] wrote: Moveuser.exe is the tool that I would typically use for this to do it in a batch fashion. Just not sure if the lack of trust will be an issue, but probably worth a try. Its in the Reskit tools. Darren From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: Thursday, June 01, 2006 2:39 PMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Profile migration to new domain Suggestions? More like a shot in the dark. :) Have you seen the transfer your settings wizard in XP? Have you checked to see what that can do for you? I suspect there will be some scripting involved, because there will be no automated way to determine the source/target profiles programatically. You could migrate their settings etc, but there's no sid/sidhistory to reference. Not much point in getting that information either. There's also the permissions issues etc. Was it me, I'd suggest taking this opportunity to re-image the workstations in question. Cleaner, neater, more secure, and no lingering issues to deal with. Al On 6/1/06, Condra, Jerry W Mr HP [EMAIL PROTECTED] wrote: Hi allThe environment I'm in has multiple domains and I've been given a taskto move about 40 users from one domain to another. There's no trust between the source domain and mine and no plans to have one. Too muchred tape. My dilemma is trying to preserve the user's desktop profileswhen they come over to my domain. In the past there's been a trust between any domain migrations I've performed which provides a host ofavenues but with no trust I'm not sure of a way to do it other than somemanual moves and permission/registry tweaks. However, doing that for 40 users with a manual process is not my idea of fun. Saving their email iscovered so it's not an issue. Any ideas or methods would be welcomed.Many thanksJerryList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspxList archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD
Yes, according to this article it looks like it. Still wondering why you then need to have to the necessary rights on the Administrative Group in order to uninstall Exchange. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: woensdag 7 juni 2006 1:24To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD In theory, you *could* just remove it from ESM if you believe this article. http://support.microsoft.com/?kbid=260378 On 6/6/06, Victor W. [EMAIL PROTECTED] wrote: Lately I have been thinking about the following: What happens actually in Active Directory and what changes in it, while or after having uninstalled Exchange. I am asking this because usually when I uninstall an Exhange server, I do this according to the KB articles from Microsoft i.e."Ho w to remove the first Exhange server". After that I insert the Exchange 2003 cd and do a 'remove components' (in case of Exchange 2000 I remove it from within Add/Remove Programs in Control Panel). After having done that I go into ESM and delete the server object from there. Recently I have had a customer asking me to remove his first Exhange server and transfer everything to another Exchange server. So I went along and followed the KB article up to the point where I had to uninstall Exhange.Everything went fine. After that, before I wanted to uninstall Exchange, I stopped the Exchange services and left this so for a day, just to be sure kept on running right without the Exhange services on the old server running. This also went fine. I then left the instruction with the customer how to uninstall Exchange and delete the server object from within ESM. They want to do something themselves also, they have their own IT department :-). Instead of doing that, they simply switched the server off and told me this a couple of days later. I offcourse told them that Exchange needed to be uninstalled the way Microsoft says so but now they want me to somehow provewhat will happen if they do it asthey have always done it, simply remove the server object from within ESM and notuninstalling Exchange from the server at all. This Exchange Organisation exists of several servers and several Administrative Groups. I know that in order to uninstall Exchange you need the necessary rights on the Administrative Group the server is in, so I guess that during the uninstall, the server'unties' itself from that Administrative Group. But what happens if you dont do this, are you then really stuck with pieces in AD of the 'not properly uninstalled server'? Lets ssay you would not uninstall Exchange but you will remove the server object from within ESM and then, much later you would bring that same server, not uninstalled, online again. I guess you could end up with messy thing then. But I dont think Microsoft says to uninstall Exchange because of this reason only. Is there aprogramfor AD like there is 'Snapshot' for the Windows registry.A program which creates a 'before' and 'after'picture. Or am I now thinking too complex? Can anybody who can shed some light on what exactly is altered in AD when doing an uninstall of an an Exchange server?
[ActiveDir] AD LDAP Logging.
Hello ,I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, viaZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue.What arethe different steps to tshoot possible problem with LDAP connections to my DC ?Thanks in advance for help,Yann __Do You Yahoo!?En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail
RE: [ActiveDir] OT: E2K3 ~ Deleted mailboxes
You'll get 9535 with text of some number mailboxes removed followed shortly therafter by ID 1100 stating number of folders deleted during backround DB cleanup. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HP Sent: Wednesday, June 07, 2006 1:02 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: E2K3 ~ Deleted mailboxes Does anyone know if there's a corresponding event id to a user's mailbox being purged from an Exchange server after the retention timeframe expires? I see event id 9535 showing the number of deleted mailboxes cleaned but I want to know if there's an event showing the actual names associated with mailboxes purged once past the retention date. Thanks Jerry List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] PCs hang at Applying computer settings after upgradingDCs to 2K3 SP1
One advantage of ISA server being on the DC (yes folks I told you we are insane..but I do have a hardware firewall on the outside) is yeah... I've got the data watching that crud...I turn into an atheist every now and then and lose religion I will admit and don't review the daily firewall report emails always like I should ...but Dana Epp's Scorpion Software ISA (can be used on other firewalls) dashboard greatly helps to narrow my investigation when I need it. Why MS at 207.46.236.25 is wanting to connect to my port 46844.. I don't know..but ISA is blocking it nonetheless About once a month I throw up the real time monitor and just see what the gang is doing (yes our AUP states that I can do this).. we now block myspace.com as a result..(among other sites) Honestly I don't do it as well as I should... but I try. But if you had those blocks in place before... there was a reason... and that firm has now done a major change management and especially with firewalls... that's one big change management that you've done with those domain controllers. Isn't domain isolation a good thing? IT's Showtime: http://www.microsoft.com/australia/showtime/sessionh.aspx?videoid=115 Al Mulnick wrote: So... you watch those ports then? You have some sort of watching going on for that set of ports? Or are you just relying on the concept that, hey, nothing should be talking to that set of ports, hence I shouldn't see anything in my firewall logs (which I'm reviewing religiously by the way) therefore this must be something amiss and or awry? Detection of issues (with a lag time built in) vs. prevention? In the case of the original poster, the firewall is a separately controlled device that I believe is walling off one network of users from a network of servers. In this case, Active Directory servers. I'm just not sure why and I'm insanely curious. :) Al On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Egress filtering so that there's less ports for me to keep an eye on... those high level ports can be used for backdoors, trojans and what not... I live in California.. I have SSNs in an encrypted database... I have sucky vendors that won't support encryption... so I'm putting all the layers I can. I don't trust my secretary that 'has' downloaded malware on her machine (she's nonadmin these days along with many others in my firm). I have a tiny network in comparison to you guys (Joe would get claustrophobic just opening up the group policy snap in and seeing hardly anything in there) but each workstation has XP sp2 with the firewalls enabled..and believe you me... if some high level port is needed, I need, I want to know what the 'normal' baseline traffic is on my network.. should something change... that's a sign of a new piece of software.. or worse yet... malware, trojans, yadda yadda... and I'm having a heart attack and licking stamps on post cards informing clients of an intrusion. These days your interior trusted network can't be trusted anymore. The bad guys want my desktops.. and most of my risks in my sized network is coming in from those users.. not my server. Al Mulnick wrote: Hmm.. I'm surprised by that Susan. :) Anyhow, why would you lock it down? I'm curious as to what the motivation is in this particular instance to use the firewall like that? What's the gain? What risk are you mitigating? What are you controlling? As I understand this, it is not an internet facing machine such that a firewall is there to slow the rush. This is firewalled off from other networks within the trusted networks (or not so trusted I suppose, since you did deploy a firewall.) I'm not sure I understand what's to be gained by doing this, so I'm curious. I'm familiar with what other companies have done this type of configuration for, but I'm interested in this particular instance. On 6/7/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: I think I'd be setting up a sniffer and figuring out exactly what is wanting what open and why. ...that's an awful lot of portsand exactly where is this firewall? I'm with Brian.. except I would probably not use the f word.. but I think I'd be going okay this is fine to keep the bosses from freaking out but we're getting to the bottom of this so I can close those suckers back up or at least only open the minimums. Brian Desmond wrote: *And fwiw you have some forgiving firewall people. I would have told you to f off
Re: [ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD
Aren't you removing an item from that AG? Shouldn't you have to have rights for that? On 6/7/06, Victor W. [EMAIL PROTECTED] wrote: Yes, according to this article it looks like it. Still wondering why you then need to have to the necessary rights on the Administrative Group in order to uninstall Exchange. From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al MulnickSent: woensdag 7 juni 2006 1:24To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] [OT] Uninstalling Exchange - how does this modify AD, what alters in AD In theory, you *could* just remove it from ESM if you believe this article. http://support.microsoft.com/?kbid=260378 On 6/6/06, Victor W. [EMAIL PROTECTED] wrote: Lately I have been thinking about the following: What happens actually in Active Directory and what changes in it, while or after having uninstalled Exchange. I am asking this because usually when I uninstall an Exhange server, I do this according to the KB articles from Microsoft i.e.Ho w to remove the first Exhange server. After that I insert the Exchange 2003 cd and do a 'remove components' (in case of Exchange 2000 I remove it from within Add/Remove Programs in Control Panel). After having done that I go into ESM and delete the server object from there. Recently I have had a customer asking me to remove his first Exhange server and transfer everything to another Exchange server. So I went along and followed the KB article up to the point where I had to uninstall Exhange.Everything went fine. After that, before I wanted to uninstall Exchange, I stopped the Exchange services and left this so for a day, just to be sure kept on running right without the Exhange services on the old server running. This also went fine. I then left the instruction with the customer how to uninstall Exchange and delete the server object from within ESM. They want to do something themselves also, they have their own IT department :-). Instead of doing that, they simply switched the server off and told me this a couple of days later. I offcourse told them that Exchange needed to be uninstalled the way Microsoft says so but now they want me to somehow provewhat will happen if they do it asthey have always done it, simply remove the server object from within ESM and notuninstalling Exchange from the server at all. This Exchange Organisation exists of several servers and several Administrative Groups. I know that in order to uninstall Exchange you need the necessary rights on the Administrative Group the server is in, so I guess that during the uninstall, the server'unties' itself from that Administrative Group. But what happens if you dont do this, are you then really stuck with pieces in AD of the 'not properly uninstalled server'? Lets ssay you would not uninstall Exchange but you will remove the server object from within ESM and then, much later you would bring that same server, not uninstalled, online again. I guess you could end up with messy thing then. But I dont think Microsoft says to uninstall Exchange because of this reason only. Is there aprogramfor AD like there is 'Snapshot' for the Windows registry.A program which creates a 'before' and 'after'picture. Or am I now thinking too complex? Can anybody who can shed some light on what exactly is altered in AD when doing an uninstall of an an Exchange server?
Re: [ActiveDir] LDAP Directory Server Path
Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' depending on what that means to you is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al On 6/7/06, HBooGz [EMAIL PROTECTED] wrote: Thanks Al -When i type that into my web browser a search function come up -- should i be able to search for objects successfully using this ? because currently i get an error message.Also, the development staff is trying to create a form to authenticate users who login against AD. The path mentioned above is all they would need ? Even if this login authentication page is located in the DMZ ? Thanks, On 6/7/06, Al Mulnick [EMAIL PROTECTED] wrote: No, LDAP://DC=harry,DC=org would be the path (note that LDAP is the protocol vs. part of the domain context) Al On 6/7/06, HBooGz [EMAIL PROTECTED] wrote: My first post, definite follower.My development staff is trying to implement an ASP.NET application using AD/LDAP authentication. They need the path to my LDAP directory Server. I've come across some notes that indicate the path syntax is similar to the following: LDAP://Yourcompany.com/DC=yourcompany,DC=comif the Active directory domain is named harry.org -- what would the syntax be ? LDAP://harry.org/DC=harry,DC=org ?I really just need the LDAP path so that this application can authenticate logins using AD.Thanks.-- HBooGz:\ -- HBooGz:\
[ActiveDir] sample vbs script
Thanks for all your help. I have another idea; let me know if its a dumb idea. Is there a way with scripting to create a copy of a pre-exiting user? Just create a copy of the user, change the names but have identical membership to security groups and OU and all other attributes. Thanks Antonio
RE: [ActiveDir] Profile migration to new domain
just in case you've not yet proceeded with any of your actions: a trust is not a requirement to migrate your users and do the profile updates on the clients or in fact to migrate objects from one domain to another. You can work just fine with passthrough-authentication instead (i.e. using an admin user + password from one domain, that is the same as an admin user + password in the other domain). You are however limited in what you can migrate = e.g. you won't be able to migrate the user passwords and you won't be able to use SIDhistory.Both should be uncritical if you only have to migrate 40 users... ADMT basically performs the steps that Susan described in the "User Profile Registry" part. There is however one little step missing in that list of steps, which is to grant the new user account full control over the old profile path directory on the respective client - this is also being taken care of automatically by ADMT. Your benefit: you can also migrate groups and group memberships (or merge the users into existing groups in the target domain), if this is required in your case. Don't know any details of your environment, so maybe you don't want to take over the groups and memberships of the users you are migrating accross... /Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Condra, Jerry W Mr HPSent: Freitag, 2. Juni 2006 17:04To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Profile migration to new domain Thanks to everyone for the input. Definitely helpful. Looks like the lack of a domain trust is going to prevent most methods. Well have to resort to a manual process along the lines of Susans steps unless they can be convinced to just come over fresh. And yes, the kool-aid is plentiful. ;-) Many thanks Jerry From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 02, 2006 9:10 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] Profile migration to new domain Silly, just go back to the OEM version. It's already paid for, supported, etc. If not, let me know and I'll forward my shipping address off-line. G As for the Dell support, I've found that using their support web controls often helps. Unless there was a mod on the machine, it's likely that they have the driver out there. You *could* always go to the nic manufacturer and get a driver there as well. I don't think that Mr HP has that issue though. I'm pretty sure he has a large pool with which to get licenses and likely has a support contract that he can utilize for assistance getting tools, drivers, advice, developer interaction, kool-aid, etc. Just a guess though. :) Al On 6/1/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] [EMAIL PROTECTED] wrote: Well I nuked and paved a formerly Dell OEM now a retail OS.. and nowcan't get the NIC on the motherboard to find nic driversanyone for a black decorative doorstop until I find the driver it wants or throw aintel card in there?Small firms wea. don't have the proper license to nuke/pave/reimageb. may not have the proper media to restore (you get the lovely OEM view of 'restoration media')c. We're already running the kitchen sink service as it is and now youwant us to RIS on that box as well?Geeze guys(it can do it but werecommend you turn it on when you need it and turn it off otherwise Exchange isn't a real happy camper sharing mem space)Al Mulnick wrote: Sorry ma'am.I should have completed my sentence and said, "..unless Susan can post the step by step directions." Silly me for not proof reading first. I'd still opt for nuke and pave in that environment. Allows you to have a known state, and last I checked that's kind of important to the type of customer he has. Now he has more options. USMT would have been a thought except that there is no trust and no reason to move the sid that I can think of.Same reason that moveuser wouldn't really matter to me.I'd prefer the control of creating the users as new users.In effect, they are new users (secprin's) anyway - treat 'em that way. Susan offers a way to get the settings and magical icons though. That's a nice touch an option if so taken. On 6/1/06, *Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]* [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] wrote: Rip out a profile?Nuke and pave? Bite your tongue sir... we want that icon to be exactly right THERE on the desktop. file/transfer wiz in XP (but don't get docs..just do settings) Download details: Windows Server 2003 Resource Kit Tools: http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en http://www.microsoft.com/downloads/details.aspx?FamilyID=9d467a69-57ff-4ae7-96ee-b18c4790cffddisplaylang=en Moveuser.exe How to migrate user accounts: http://www.microsoft.com/technet/windowsvista/library/6730111b-b111-4a64-8f00-af87a63fd157.mspx Moveuser - Move between
RE: [ActiveDir] AD integration/replication with OS in different languages
Hello Steve, you're right - language doesn't matter for any of the data stored in AD. Replication will work just fine. You might however face special challenges in correctly displaying the characters that are entered by your Chinese colleagues. This is where the language packs come in, as you already guessed. Especially with Exchange, clients using different languages/codepages will contact GCs in AD to retrieve the GAL. As clients can potentially contact any GC (think of travelling Chinese users, who won't necessarily contact the Peking GC, but connect to your Australia GC instead), your GC should have all languages installed so that it can answer with the right codepages. Otherwise the Outlook client may receive unreadable characters from the GAL. Don't confuse this with the multi-language UI - You'll simply have to configure the languages via the Regional settings control panel. For international companies, it is a best practice to install all languages on all DCs, any of which could be a GC. For a distributed system like AD I preferr just to use all language packs instead of adding only a specific language, since you never know which codepage might be used in other regions of your company. /Guido -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Molkentin, Steve Sent: Mittwoch, 7. Juni 2006 17:50 To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD integration/replication with OS in different languages All, This may seem pretty straight forward, but I haven't been able to track down any definitive info anywhere, not even from Microsoft. We are looking at connecting a number of businesses within our region (Asia Pacific) to the same domain. No stress there - most of the DC's (where they exist) are all in some variant of English (all running Windows Server 2003). We have some businesses in China, however, that use the Chinese version of Windows Server 2003. What I am asking is do we need to do anything special (other than maybe install the chinese language packs on the english servers so we can read the characters they have entered as data for their accounts, etc) to have the directories integrate and not screw up replication or whatever? I do not believe so - it should all be the same, just a different character set responsible for some data entry so that will be copied but only readable with language packs installed. I just thought I would run it by the fonts of all knowledge here, as I am sure people have had similar issues that allow them to shed specific light on this dilemma. All help/pointers are greatly appreciated. Thanks! :) Steve Molkentin (themolk). Senior Network Engineer Information Services Team (Qld) ASSA ABLOY Asia Pacific (p) +61 (0)7 3373 5233 (m) +61 (0)401 709 405 http://www.assaabloyasiapacific.com List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups 20 charsUser Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups 20 chars By the way.. I remember another thread about this a while ago. Search the archives for it as I think you'll find more info on thisMet vriendelijke groeten / Kind regards,Ing. Jorge de Almeida PintoSenior Infrastructure ConsultantMVP Windows Server - Directory ServicesLogicaCMG Nederland B.V. (BU RTINC Eindhoven)( Tel : +31-(0)40-29.57.777( Mobile : +31-(0)6-26.26.62.80 * E-mail : see sender addressFrom: [EMAIL PROTECTED] on behalf of Joe KaplanSent: Tue 2006-06-06 02:03 To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Sure enough, rangeUpper is 256.I'm not sure where I got that 64 thing, but I'm guessing it was from memory and that was not up to the task again.Anyone else?Is it safe or not for groups to have a sAMAccountName 20characters but = 64?I'm going to assume that users definitely need to be = 20.Joe K.- Original Message -From: Al MulnickTo: ActiveDir@mail.activedir.orgSent: Monday, June 05, 2006 5:46 PMSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?Interesting.The online version I see says rangeupper is 256.Not sure howimportant that is, but...http://msdn.microsoft.com/library/default.asp?url="">Given the purpose of samaccountname I have a hard time believing somethingdoesn't rely on that being 20 chars. Not to say that they haven't been since fixed, but that's too tempting for most folks not to just say, "well, to beusable it's limited to 20 chars and since Microsoft has that numberpublished everywhere, we'll just assume it's 20 chars all the time..." or something like that.AlList info : http://www.activedir.org/List.aspxList FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspxThis e-mail and any attachment is for authorised use by the intended recipient(s) only. It may contain proprietary material, confidential information and/or be subject to legal privilege. It should not be copied, disclosed to, retained or used by, any other party. If you are not an intended recipient then please promptly delete this e-mail and any attachment and all copies and inform the sender. Thank you.
RE: [ActiveDir] AD LDAP Logging.
Hi Yann One option would be to enable logging of all LDAP searches against the DC. http://www.activedir.org/article.aspx?aid=97 Tony PS. Were just loading a new version of the site, so it might take a few minutes before you can load the page. From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Yann Sent: Thursday, 8 June 2006 6:39 a.m. To: ActiveDir@mail.activedir.org Subject: [ActiveDir] AD LDAP Logging. Hello , I need advices about troubleshooting LDAP connections to one of my DC in my AD2k3. An application named ZOPE running on a linux box accesses my DC. Users use a web page, viaZOPE application, that connect to my DC to list users information. Sometimes, users are disconnected to my DC and the admin that is responsible for the ZOPE app. called me to resolve this issue. What arethe different steps to tshoot possible problem with LDAP connections to my DC ? Thanks in advance for help, Yann __ Do You Yahoo!? En finir avec le spam? Yahoo! Mail vous offre la meilleure protection possible contre les messages non sollicités http://mail.yahoo.fr Yahoo! Mail This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002.
[ActiveDir] Rights to move an object from one OU to another
What rights does a user need to move objects from one OU to another? I can not seem to find that or a white paper on delegation of authority that someone mentioned before. Thanks in advance. Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602)495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Rights to move an object from one OU to another
http://www.microsoft.com/downloads/details.aspx?FamilyID=29dbae88-a216-45f9-9739-cb1fb22a0642DisplayLang=en and http://www.microsoft.com/downloads/details.aspx?FamilyID=631747a3-79e1-48fa-9730-dae7c0a1d6d3DisplayLang=en On 6/8/06, Figueroa, Johnny [EMAIL PROTECTED] wrote: What rights does a user need to move objects from one OU to another? I can not seem to find that or a white paper on delegation of authority that someone mentioned before. Thanks in advance. Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602)495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Rights to move an object from one OU to another
http://blog.joeware.net/2005/07/17/48/ -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Figueroa, Johnny Sent: Wednesday, June 07, 2006 7:01 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Rights to move an object from one OU to another What rights does a user need to move objects from one OU to another? I can not seem to find that or a white paper on delegation of authority that someone mentioned before. Thanks in advance. Johnny Figueroa Supervisor Network Operations Support Network Services Banner Health Voice (602)495-4195 Fax (602) 495-4406 WARNING: This message, and any attachments, are intended only for the use of the individual or entity to which it is addressed and may contain information that is privileged, confidential and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient or employee/agent responsible for delivering the message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of the communication is strictly prohibited. If you receive this communication in error, please notify us immediately List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
[ActiveDir] SBS and reducing downtime on crash
Hi all, Have a general question / case. On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in a SBS environment / small company. Lets keep it an easy example: -company has 15 employees -15 XP workstations -one SBS 2k3 server installed with all necessary tools etc..veritas backup exec / groupshield etc etc.. -raid mirror installed -network is configured well...firewall / updates etc Lets say all ingredients are there and are proper installed/working/configurated for the perfect network. You name it ...its there. BUT There is only one server and all is centralized to that one SBS server: -exchange -sql dbases -file sharing -network shared applications (company specific cms, cmr..etc..) I mean if that goes down, the whole company is downand when I mean down, I mean worst case scenario. Lets say that whole server is burned to the ground. Every part has turned to dust. Sure the back up is there and the emergency repair disk etc etc...but no other server to install it onordering it ..restoring it...takes all a few days to get it back in the air. Is it best to convince the client/company to keep 2 servers running together...so that the servers share their functions? Lets say -1 server with SBS2k3 for authentication exchange sql. -1 server with win2k3 for filesharing and the network shared applications. Sure last is best...but getting them convinced gets back likewe have a server, it works fine. If you peepz have other ideas?...share it! Rgrds Jorre List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SBS and reducing downtime on crash
One more thing.. we're just started to think about virtualizing SBS. Big server land guys are virtualizing DCs... guess what... you can do the same with SBS. All the parts are officially supported to be on VS. It's still a gleem in everyone's eye and just thoughts... but it sure is an idea, isn't it? Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: 1. Go to TechEd 2006 in Boston 2. Go to Jeff Middleton's Myths of DR on SBS Any questions? Okay so seriously... 3. Remember that under the hood we're AD.. so even though the big guys around here cringe at a single DC, all on one box.. all the tricks for AD restoration still work. Okay Susan's first and foremost SBS rule of DR 1. Buy good hardware. I have been running SBS since SBS 4.0 and here's what nailed me in the past NIC died Hub died (back when we did hubs) NIC died Switch died Harddrive dropped off raid Switch froze up required hard reset (just two weeks ago.. good excuse for upgrading to gig switches don't you think?) In all those years I've had minimal downtime. Notice that I've only lost one drive and that was on my adaptec raid screaming like crazy but the network still chugged just fine ..so these days I buy spare nics and harddrives. I've also always had SCSI drives, and with my current baby (HP) have that lovely hardware monitoring stuff that sends me emails when the hardware gets even a sniffle. Now I have a Dell OEM with IDE drives and it's not a server and you can so tell. The SATA drive ones are ... well ask us again in about another year or so of the 'three year let's see how they do compared to SCSI'. My home server is a cheap SATA HP but even that is better than the cheap Dell OEM version I got. Lesson 1 - buy HP.. buy good server quality hardware. 2. Consider adding to that backup a drive image software (okay someone go tell the Garage door guy, the AD guru and the Joeware guy to stick fingers in their ears and don't read this) We are only one DC. It's a little hard to have replication and tombstone issues when you only have one AD. Acronis may not say they will support imaging a DC... but when you only have one... it's not a biggie and it works. We've done it. Heck we can even restore a system state that's getting gray hairs. When you only have one...sometimes you can do things that in big server land you absolutely would never ever do. 3. Consider adding a secondary DC. These days with virtual pc/server/vmware load up a server os on a workstation even and park an additional domain controller to replicate that AD. 4. Practice that restore. A few days to get it back in the air? Worst case scenerio... Hurricane Katrina.. Jeff Middleton is from New Orleans Louisiana.. you know what he found? (and I'm ccing him so he can chat with you more directly).. ever try to buy a server hardware in a computer store? He was buying MCE editions as they were the beefier ones have offsite backups of mediaas he was scrambling in some cases to get the right media. Sometimes it was the little things that nailed him. Your worst case scenerio is replacing that hardware... bare metal recovery in the 2k3 era is not the same as we had it in the 2k era with the SFN issues. SBS is no different of a DR recovery than the big guys... it just magnifies it is all In a normal DR setup ... to get that back in the air.. on an SBS box? Not if you know what you are doing and have practiced. 5. Cold server rights. If you have SA you have cold server rightsyou can park another server with a copy of the OS and then turn it off and leave it. Okay now let's review some of that 'the firm is down'. 1. Cached credentials, cached outlook means that the server can drop off the face of the earth and the workstations just kinda hang out until it comes back on. 2. Have alternative ways to get to key data. I have a robocopy that pulls a copy of certain folders over to a spare drive on my workstation.. Excel and Word docs.. should the gang absopositively need to get into a doc for a case, even if the server is down, we have a duplicate that can be gotten into. But honestly we're no different of a DR story than the big guys..a tad more complicated due to the all on one box... but the same rules apply RAID Hardware don't skimp Practice Decide if you are not going to do the secondary DC and to a server image...or do the secondary DC and don't image. and don't panic.and in my case I'm calling Jeff and paying him to be my calm DR buddy should something occur... btw I don't like Veritas in a single SBS setup.. the built in SBS backup works fine.. if you need to backup additional servers, then do Veritas Quatro Info wrote: Hi all, Have a general question / case. On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in a SBS environment / small company. Lets keep it
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Here is the most recent... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 23, 2006 11:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Wednesday, June 07, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use the weakest link (smallest value) which is the length of the full name. (that us why I cut them down to 64 chars in the NDS so I did not experience any crap during the migration) Even in NT4 you could create groups 20 charsUser Manager for domains allowed 20 chars and some other did the same. However, several third party tools like Hyena and others go beyond that limit. Even if you use scripts you can creare groups 20 chars. However you will not be able to manage them with user manager for domains. To my knowledge, AD has no problem with groups 20 chars By the way.. I remember
Re: [ActiveDir] LDAP Directory Server Path
Just to elaborate a little on what Al said, when using an ADSI-based model like S.DS, the adspath contains the provider, optional server info and a distinguished name of an object to search. When you don't specify a server part in the path (a serverless bind), LDAP infers a domain from the current security context and then uses the locator to find a DC in that domain. You have to be careful with serverless binds though, especially in web apps, as the security context may be local machine instead of domain, so it may not be possible to infer a domain. In some cases, it may be necessary to supply a domain name or even the DNS name of a specific DC. Using your previous example, you may need to specify the harry.org part of the path. A lot of it depends on the environment. I also recommend using a tool like ldp.exe or adfind to help with LDAP programming. These tools are very useful for executing ad hoc LDAP ops and modeling queries. In general, you want to be careful with using ADSI or S.DS for authentication in an app. It doesn't scale well for this type of thing. If you must use LDAP-based auth (which is generally best avoided; use Windows auth instead), using something like the ActiveDirectoryMembershipProvider or calling System.DirectoryServices.Protocols directly will get you better scalability (if that's important). We actually did write a whole book about this stuff and it doesn't suck, so won't hesitate to recommend it for these types of questions. www.directoryprogramming.net. Joe K. - Original Message - From: Al Mulnick To: ActiveDir@mail.activedir.org Sent: Wednesday, June 07, 2006 3:09 PM Subject: Re: [ActiveDir] LDAP Directory Server Path Totally different questions. The ldap path is what is needed to connect to the directory via .net (there are many examples in the language dialect you're development staff are planning to use; Joe Kaplan is a good person to search for as he does this frequently and I believe has even taken the time to write a book about it. Accessing it from a 'DMZ' depending on what that means to you is a different animal altogether and has a lot more to do with architecture, routing, physical connections, and name resolution. Architecture is a huge part of that equation. There's nowhere near enough information in your posts, nor would I think it appropriate that you share that amount of information with outsiders, to even begin to answer that question in a usable manner. To see/use that syntax, minus the protocol portion, have a look at tools like LDP.EXE. Also search the Microsoft site for things like .net examples and ldap syntax and .net examples. You'll see what I mean. Al List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] SBS and reducing downtime on crash
1. Go to TechEd 2006 in Boston 2. Go to Jeff Middleton's Myths of DR on SBS Any questions? Okay so seriously... 3. Remember that under the hood we're AD.. so even though the big guys around here cringe at a single DC, all on one box.. all the tricks for AD restoration still work. Okay Susan's first and foremost SBS rule of DR 1. Buy good hardware. I have been running SBS since SBS 4.0 and here's what nailed me in the past NIC died Hub died (back when we did hubs) NIC died Switch died Harddrive dropped off raid Switch froze up required hard reset (just two weeks ago.. good excuse for upgrading to gig switches don't you think?) In all those years I've had minimal downtime. Notice that I've only lost one drive and that was on my adaptec raid screaming like crazy but the network still chugged just fine ..so these days I buy spare nics and harddrives. I've also always had SCSI drives, and with my current baby (HP) have that lovely hardware monitoring stuff that sends me emails when the hardware gets even a sniffle. Now I have a Dell OEM with IDE drives and it's not a server and you can so tell. The SATA drive ones are ... well ask us again in about another year or so of the 'three year let's see how they do compared to SCSI'. My home server is a cheap SATA HP but even that is better than the cheap Dell OEM version I got. Lesson 1 - buy HP.. buy good server quality hardware. 2. Consider adding to that backup a drive image software (okay someone go tell the Garage door guy, the AD guru and the Joeware guy to stick fingers in their ears and don't read this) We are only one DC. It's a little hard to have replication and tombstone issues when you only have one AD. Acronis may not say they will support imaging a DC... but when you only have one... it's not a biggie and it works. We've done it. Heck we can even restore a system state that's getting gray hairs. When you only have one...sometimes you can do things that in big server land you absolutely would never ever do. 3. Consider adding a secondary DC. These days with virtual pc/server/vmware load up a server os on a workstation even and park an additional domain controller to replicate that AD. 4. Practice that restore. A few days to get it back in the air? Worst case scenerio... Hurricane Katrina.. Jeff Middleton is from New Orleans Louisiana.. you know what he found? (and I'm ccing him so he can chat with you more directly).. ever try to buy a server hardware in a computer store? He was buying MCE editions as they were the beefier ones have offsite backups of mediaas he was scrambling in some cases to get the right media. Sometimes it was the little things that nailed him. Your worst case scenerio is replacing that hardware... bare metal recovery in the 2k3 era is not the same as we had it in the 2k era with the SFN issues. SBS is no different of a DR recovery than the big guys... it just magnifies it is all In a normal DR setup ... to get that back in the air.. on an SBS box? Not if you know what you are doing and have practiced. 5. Cold server rights. If you have SA you have cold server rightsyou can park another server with a copy of the OS and then turn it off and leave it. Okay now let's review some of that 'the firm is down'. 1. Cached credentials, cached outlook means that the server can drop off the face of the earth and the workstations just kinda hang out until it comes back on. 2. Have alternative ways to get to key data. I have a robocopy that pulls a copy of certain folders over to a spare drive on my workstation.. Excel and Word docs.. should the gang absopositively need to get into a doc for a case, even if the server is down, we have a duplicate that can be gotten into. But honestly we're no different of a DR story than the big guys..a tad more complicated due to the all on one box... but the same rules apply RAID Hardware don't skimp Practice Decide if you are not going to do the secondary DC and to a server image...or do the secondary DC and don't image. and don't panic.and in my case I'm calling Jeff and paying him to be my calm DR buddy should something occur... btw I don't like Veritas in a single SBS setup.. the built in SBS backup works fine.. if you need to backup additional servers, then do Veritas Quatro Info wrote: Hi all, Have a general question / case. On small companies ( 10 - 20 employees), what config is the best to set the downtime in case of a crash to a minimum. Especially in a SBS environment / small company. Lets keep it an easy example: -company has 15 employees -15 XP workstations -one SBS 2k3 server installed with all necessary tools etc..veritas backup exec / groupshield etc etc.. -raid mirror installed -network is configured well...firewall / updates etc Lets say all ingredients are there and are proper
RE: [ActiveDir] sample vbs script
It is like creating a user and populating it only you add the overhead of opening up the user you are copying and looking at all of the settings and duplicating the ones you want on the new object. There isn't, for instance, a single COPYTHISID script call. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Antonio ArandaSent: Wednesday, June 07, 2006 4:13 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] sample vbs script Thanks for all your help. I have another idea; let me know if its a dumb idea. Is there a way with scripting to create a copy of a pre-exiting user? Just create a copy of the user, change the names but have identical membership to security groups and OU and all other attributes. Thanks Antonio
RE: [ActiveDir] User Logon Hour
Title: User Logon Hour You need to modify the logonHours attribute. This is, as far as I know at this hour of the night, an officially undocumented field in terms of formatting but basically it is a bunch of bits representing the time units. Now the fun thing is that using script, the octetstring attributes are a pain in the butt. I would recommend googling for scripts from Richard Mueller, he plays a lot in this area. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Atila FirminoSent: Monday, June 05, 2006 2:08 PMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] User Logon Hour Hi everybody. How can I change "user logon hours" making bind directly to user object. Is this possible? I know that is possible using another "object user" as template. Thank´s Atila Firmino Essa mensagem é destinada exclusivamente ao seu destinatário e pode conter informações confidenciais, protegidas por sigilo profissional ou cuja divulgação seja proibida por lei. O uso não autorizado de tais informações é proibido e está sujeito às penalidades cabíveis. This message is intended exclusively for its addressee and may contain information that is confidential and protected by a professional privilege or whose disclosure is prohibited by law. Unauthorized use of such information is prohibited and subject to applicable penalties.
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Interesting read... So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 08, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Here is the most recent... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 23, 2006 11:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Wednesday, June 07, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did Jorge, but it looks like it was done for convenience vs. going with more chars.) Interesting. On 6/6/06, Almeida Pinto, Jorge de [EMAIL PROTECTED] wrote: About a year and a half ago I have tested this as I was doing a migration from NDS to AD. Worked like a charm! (I even did tests for legacy clients like W9x as those were my biggest concern, did not find anything) The NDS groups were 64 chars and accepted all kinds of funny chars. I had to cut them down to 64 chars. Although the samaccountname accepts 256 chars, the full name (common name) accepts only 64 chars. And in cases like this I like to use
RE: [ActiveDir] max password age where else to look?
Yep the reason is because it is divisible by 7. As Al mentioned I have written this up here and in the newsgroups multiple multiple times. From watching an environment with over 200k IDs and daily password changes measuring in the thousands we noticed that with a 91 day policy the password changes per day leveled out into a very stable pattern with exceptions only around holidays instead of most Monday's being heavier as the weekend changes than catch you on Monday as the dates get pulled due to the non-divisable by 7. Don't take my word for it. If you aren't doing it, measure your password changes by running scripts daily to determine how many accounts have had their passwords changed and start graphing that over a long term and then start using that for watching for issues. After you get a good baseline switch to a value that is divisable by 7 and then watch the stabilization. The reason stabilization is nice because it can help the amount of issues the help desk is dealing with. Say you normally have 2000 password changes a day, if you are pulled one day that one day will get 4000 changes - again this is on a monday or the day after people return (and holidays are even worse then). That can be serious load on the help desk. Another thing a lot of companies will find that they have normal high points over the entire password change period, think of mass adds or an issue that forced a lot of people to reset their password for some reason. Doing this can help you find that and keep the help desk prepared for it (i.e. a note that says we expect 30% more password changes the 2nd week of June than most weeks so be ready)[1] or work on trying to stabilize it by working with users and having them change their passwords early purposely to level that out a little. Someone who is running an SBS or other small environment with only hundreds or thousands of users is probably thinking huh? But the enterprise world is considerably different. Small things can really add up fast. joe [1] Why is it important for the help desk to know? So they know the call volume could go up as people forget how to change their password properly or forget their new password and lock themselves out. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 06, 2006 11:09 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? Yeah, I realised that shortly afterwards. The value of this approach escapes me, however :) I don't care which day of the week I change my password on and nor should the users IMHO. neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Gil KirkpatrickSent: 06 June 2006 15:07To: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? Think divisble by 7 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED]Sent: Tuesday, June 06, 2006 12:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] max password age where else to look? I'll second guess joe - 91 stops ppl from using cyclic passwords, which use dates or quarters to generate a password. e.g. passwordq12006, passwordq22006 etc. Hopefully joe will give an authoritative response :) neil From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of SteveSent: 05 June 2006 22:59To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] max password age where else to look? Okay. I'll ask the question that everyone else is afraid to why 91 and not 90? Cheers On 5/31/06, joe [EMAIL PROTECTED] wrote: :o) I can imagine Something I like to recommend to folks is to monitor password changes. Depending on how big you are you may even want to do it daily. It is a great way to keep an eye open for various issues. For instance if passwords aren't being changed in the normal periods at the normal rates, your policy may not be working. If more than usual are being changed then possibly you have some DC issues. You will even be able to graph out the password changes and possibly find interesting trends.Oh to go along with this, I recommend a password age of 91 days for the obvious reasons... Actually I always recommend that over 90 days. joe From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Douglas W StelleySent: Thursday, May 25, 2006 11:49 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] max password age where else to look? That was it, the policy needed to be re-applied. Boy did I cause hate and discontent when suddenly hundreds of users needed to change there password cause they had expired! Thanks all "joe" [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 05/24/2006 10:41 PM
RE: [ActiveDir] LAG and LDAP queries
Ah I love this problem... Crappy apps can't do the right thing so the AD folks have to figure out a solution. I have been in this conversation so many times it isn't funny. I have seen it go several ways. 1. The AD Admins cave in and do whatever to help the apps. 2. The AD Admins tell the app folks they better get the app fixed or find another way. 3. Spin up another directory and sync the info into it for the apps that is more tailored for how the app wants to work. 1 and 3 both suck to me. But then so does 2 if the find another way is used. The best solution is to beat the vendor until they do it correctly. So the problem with #1 is that in large orgs, it usually won't stop with a single cname. You will end up spinning up cnames for all sorts of different occasions. DCs that are in a special site, DCs of a specific domain, DCs of a specific domain in a specific site, DCs that support LDAPS, DCSs that support LDAPS in a specific domain in a specific site, GCs, GCs in a specific domain in a specific site, GCs in another domain or other site, etc etc etc etc. This list is endless... This is why applications should do it properly. When I ran a large directory, people constantly came to us and told us we had to do this and we always said no. One UNIX application group actually sat down and wrote a tool that did the proper site based SRV record lookups. Had we crutched them, they never would have had impetus to find a good solution. When someone says do this for a short time and we will find a better answer, they won't. Barring that, I would rather see application integrators front ending their crappy apps with perl or other tools that do the lookups on behalf of the apps and populate the configurations of the apps. This can be done daily, hourly, weekly, whatever the app folks feel is necessary and they should be doing it in such a way that there is fault tolerance in case something changes in the time between the updates. AD Admins should not have to be worrying about this kind of crap. When a DC is down and having a problem the last thing they should have to be worrying about is manually updating DNS entries to protect crap apps. This can add to the support costs and downtime because in the global scheme of things, AD Admins should not be thinking about all of the various apps, they should be thinking about maintaining the service as a whole. It is funny because app groups can't be bothered to learn AD to figure out how to use it properly but expect the DAs to learn everything about their app and how it works with AD to make sure their app runs well. That is backwards... joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Tuesday, June 06, 2006 12:09 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] LAG and LDAP queries I have a group of applications (ie. Sibel etc) running from Unix boxes using AD for LDAP. I'm wanting to put in a Lag Infrastructure. The queries from these APPs basically look at mydomain.mycomapny.com 389. That's about as smart as they get. So, I know this isn't a AD problem but if I want my lag I have to figure this out for them. I don't want one of the lag servers to return there query (stale info). I have read thew a couple of LAG threads here and not really found anything referring to my exact problem. I know I can kill all the SRV records and keep the windows boxes out but I have to keep the cname to let this replicate on schedule. Anyone tried something like putting in a DNS record with just the DC's they want to return queries? LDAPSERVERS.mydomain.mycompany.com Am I way off base(DN) sorry bad j/k List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Anyone do anything this stupid and recover?
Amen... I read My boss is an MCSE and he purposely let me sweat this one out on my own. And thought, the boss had no clue and was glad someone else was around to do the work. You don't let a company stay in a painful position to allow someone to learn. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Susan Bradley Sent: Saturday, June 03, 2006 4:12 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Anyone do anything this stupid and recover? Congratulations.. you now have a higher degree BTDT Been there done that. MSCE is merely an exam..fantastic for the resume...but it's not necessarily the same as real life lessons. If this was a SBS box I'd still run that ntdsutil just to make sure that the FSMO roles are where you want them to be. Arnold Arce wrote: Thought everyone would like an update. After taking the old serv.er off-line, it seems that the new server has taken over the PDC functions automatically and everything is working fine. I've finished copying the data over and unplugged the server, so we won't have any 'accidental' powering up of the old server. My boss is an MCSE and he purposely let me sweat this one out on my own. Of course afterwards, everything did make sense. Thanks for all the info. I hope I never need it, but I will keep it stored away for reference. Arnold.. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Arnold Arce Sent: Friday, May 19, 2006 11:40 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Anyone do anything this stupid and recover? Thanks for the info. Since most of the data has been copied over, I can remove the old server from the network and just use a USB drive to copy anything over that I missed. So I think I will go this route. I'll try it this weekend to see. Thanks again. Glad it's not completely hopeless. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, May 19, 2006 10:13 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Anyone do anything this stupid and recover? Thinking along with Susan here. First: but in mixed mode AD, their NetBIOS domain names are just company. Nothing to do with the mode here. NetBIOS names are whatever you set it to be. So, in your situation, I'd power down the old DC. Seize all the roles that has been given up by this new DC. Reboot for good measure. Make sure it's behaving properly. Then I'd do a NetBIOS name rename of the new domain (only necessary if you still want to continue to migrate the old stuff from the old domain into the new one). The following article: http://download.microsoft.com/download/c/f/c/cfcbff04-97ca-4fca-9e8c-3a9c90 a 2 a2e2/Domain-Rename-Procedure.doc provide a detailed description of domain rename exercise. The long and short of this is that you are not completely SOL. If you have invested a lot of time in installing and migrating stuff to this new domain, you don't have to start over completely. However, you may want to weigh the amount of time and effort already invested against the amount of time and efforts required to accomplish what I've described above. Rename is neither easy nor too difficult. Good luck. Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] Sent: Fri 5/19/2006 6:26 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Anyone do anything this stupid and recover? Using Ntdsutil.exe to transfer or seize FSMO roles to a domain controller: http://support.microsoft.com/?id=255504 The command will take a few nanoseconds longer as it says sorry can't transfer, I'm seizing... but would that work? Didn't know if this would help in any way as well...but this more talks about transfering them: How to install Small Business Server 2003 in an existing Active Directory domain: http://support.microsoft.com/kb/884453/en-us Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote: Can't you just seize the FSMO roles? If the old PDC isn't there... ntdsutil and just seize them? When you can only have one PDC/FSMO holder in SBSland... and we're migratiing across... we just rip the little suckers across and seize them. Now mind you ... keeping the same domain is way better from a 'keep the profiles on the
RE: [ActiveDir] [OT] New DC can't find the machine account
Wow this thread went wickedly wrong... I agree that Al has definitely been quite chatty lately. That is ok, he can pick up for my volume which has been reduced. Sometimes he is even right. :) As for the Cher stuff... Errr no. As for the saying my bad... Goodness... I do say that occasionally. I have no problem falling on my sword when I screw up... Just go through the archives and read every post from me. :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Friday, June 02, 2006 2:46 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Why? Just because I'm feeling particularly mean this morning. I like Deji, but I think he needs some abuse for not having been around for a while. See who's talking. Just because you are chatty now, eh? Didn't you take off and went AWOL for about 6 months last year? No peep from you. Everyone wondering what happened to you. And, you just reappearing without an official explanation. You and that Todd Myrick dude. Both disappearing at the same time. At least you came back. So, tell us - what did you do with him[1] :) [1] You asked for it picking on me like that [2] [2] As for that joe guy, I'm still waiting for him to say ooops, my bad [3] [3] Yeah, I know. He NEVER says that :) Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Mulnick Sent: Fri 6/2/2006 7:16 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account I find myself agreeing with Deji, but I'll go one or two or three further. 1) QIP? My experience with QIP has not been favorable in past accounts, but I'll assume it works for you. I've had way to much time invested that I'll never get back with QIP/AD integration. I'm not saying it won't work, because it can, but it's way more complex/expensive than it's worth to me. 2) In the case of AD, unless you have a really good technical and/or policy reason not to, do like Deji says and make your AD dependent on an internal DNS host that supports what it needs. Like DDNS and permissions (security). Best bet here is to make AD the master and let QIP be secodary if a compromise is needed. 3) Get joe to send pictures of himself as a Cher look-alike to Deji. Why? Just because I'm feeling particularly mean this morning. I like Deji, but I think he needs some abuse for not having been around for a while. (I know it's extreme, but it's for your own good Deji.) EG Al On 6/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In this case, you want to point the new DC to an internal DNS server authoritative for the domain. To close this - and answer joe's question - yes, it's DNS, silly. It's always DNS :). Slow startup, slow GP processing, slow desktop showing up, slow coffee maker, slow uplifting of skirts - always DNS. Choose a working INTERNAL DNS server, make netlogon dependent on DNS and 99% of the trouble is resolved :o Sincerely, _ (, / | /) /) /) /---| (/_ __ ___// _ // _ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 6/1/2006 7:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Deji, DNS for this test domain is provided by our datacom people. It's Lucent's QIP server on a old slow NT box. According to the guy who manages it he's a couple of major releases behind on the software. We're also
RE: [ActiveDir] New DC can't find the machine account
Ihave had really decent experiences with QIP. I have actually been happier with deploymentswith QIP on UNIX than Windows DNS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Friday, June 02, 2006 10:17 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] New DC can't find the machine account I find myself agreeing with Deji, but I'll go one or two or threefurther. 1) QIP? My experience with QIP has not been favorable in past accounts, but I'll assume it works for you. I've had way to much time invested that I'll never get back with QIP/AD integration. I'm not saying it won't work, because it can, but it's way more complex/expensive than it's worth to me. 2) In the case of AD, unless you have a really good technical and/or policy reason not to, do like Deji says and make your AD dependent on an internal DNS host that supports what it needs. Like DDNS and permissions (security). Best bet here is to make AD the master and let QIP be secodary if a compromise is needed. 3) Get joe tosend pictures of himself as a Cher look-alike to Deji. Why?Just because I'm feeling particularly mean this morning.I like Deji, but I think he needs some abuse for not having been around for a while.(I know it's extreme, but it's for your own good Deji.) EG Al On 6/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In this case, you want to point the new DC to an internal DNS serverauthoritative for the domain.To close this - and answer joe's question - yes, it's DNS, silly. It's alwaysDNS :). Slow startup, slow GP processing, slow desktop showing up, slowcoffee maker, slow uplifting of skirts - always DNS. Choose a working INTERNAL DNS server, make netlogon dependent on DNS and 99% of the trouble isresolved :oSincerely,_(, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /)(/Microsoft MVP - Directory Serviceswww.readymaids.com http://www.readymaids.com - we know ITwww.akomolafe.com http://www.akomolafe.comDo you now realize that Today is the Tomorrow you were worried about Yesterday? -anonFrom: [EMAIL PROTECTED] on behalf of Al LilianstromSent: Thu 6/1/2006 7:52 PM To: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] New DC can't find the machine account[EMAIL PROTECTED] wrote: Mark: why would this be "expected"? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly?Deji,DNS for this test domain is provided by our datacom people. It'sLucent's QIP server on a old slow NT box. According to the guy whomanages it he's a couple of major releases behind on the software. We'realso seeing some other issues with machines in the child domain to this domain having problems registering their DNS records.Machines Existing DCs can be resolved and accessed - which confuses mewith the netlogon pausing as the DC when booting should, in my mind,query the other dc for it's account information - not itself. al From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNSserver somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely,_ (, /|/) /) /) /---| (/___ ___// _ //_) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account Almeida Pinto, Jorge de wrote: see if the following helps:http://www.eventid.net/display.asp?eventid=1097eventno=2126source=Userenvp hase=1 I had run across that page last night. Time is ok (ntp to local time source) I don't think that both computer
RE: [ActiveDir] Query for user AD info from web application
I would start them on the various LDAP primers out on the net or get the O'Reilly AD books. The cookbook, my Active Directory 3E book, etc. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Friday, June 02, 2006 10:21 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Query for user AD info from web application Sorry, I've been out a few days and haven't been able to respond. I see X500 address for new users not the users that where moved from our exchange 55 servers. We did a in place install of our exchange 2003, we joined the 55 org when we did the install. I know our web developers are very use to using SQL format for their databases. Do you have a good place I could direct them to use another format? Thanks,jb -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Murray Sent: Tuesday, May 30, 2006 10:42 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Query for user AD info from web application Third, an X500 address would be unusual,... Not an everyday occurrence, I agree, but I see these pretty frequently with organizations that have migrated within Exchange 5.5 and then have migrated to Exchange 2000/2003 (or an ADC is in place). Typically, they are used to support replies to emails in situations where the sender's DN has changed. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, 31 May 2006 11:48 a.m. To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Query for user AD info from web application First off I generally try to dissuade folks from using the SQL format for querying LDAP directories, it makes developers think capability exists that doesn't. Second, mail attribute is not going to have any type of address other than SMTP. Third, an X500 address would be unusual, do you mean X400 address? Every mailbox has an X400 address by default, that will be maintained in proxyAddresses and textEncodedOrAddress (same value in both). The only default X500 address in Exchange would be what is used for the legacyExchangeDN which is not maintained in proxyAddresses. The only time you would have an X500 in proxyAddresses is if you manually added it (say you modified the LEDN and wanted to keep the old one around for routing, permissions, etc). joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Jason Benway Sent: Tuesday, May 30, 2006 2:59 PM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Query for user AD info from web application Our internet web application use AD to pull user information. They start with the users email address and then look up other information. We've notice today that if a user has a X500 address our query doesn't work. Here's what the web developer sent me SELECT displayName FROM 'GC://DOMAIN.COM' WHERE objectCategory='organizationalPerson' AND ((mail = '[EMAIL PROTECTED]')) I don't know why a X500 address would mess this up, ideas? Thanks,jb -- Jason Benway Network Services Manager [EMAIL PROTECTED] GHSP 1250 S.Beechtree Grand Haven, MI 49417 616-847-8474 Fax: 616-850-1208 List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx This communication, including any attachments, is confidential. If you are not the intended recipient, you should not read it - please contact me immediately, destroy it, and do not copy or use any part of this communication or disclose anything about it. Thank you. Please note that this communication does not designate an information system for the purposes of the Electronic Transactions Act 2002. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir][OT] Machine Psswd Age
Yeah but he posted another entry too... So once again, you are behind Sir ~Eric. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Eric Fleischman Sent: Thursday, June 01, 2006 9:53 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Machine Psswd Age Correction: the GDO and I are tied. I posted again this morning, just to spite you. ~Eric -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Thursday, June 01, 2006 6:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir][OT] Machine Psswd Age Hey you, the garage door opener, and ~Eric[1] could all share a blog! You would still need to do a majority of the posting but occasionally they would kick something in. :) Certainly I would be an avid reader. joe [1] Who is actually being beat out this year in blog entries by the person he made fun of for having a blog and not posting -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, June 01, 2006 2:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Agreed I have many things that need to go into a blog and that is likely something I will be working on in the near future. I just hate to set one up on technet and then not post, like someone else we know who took forever to get their first post up and happens to open the garage doors on campus. :-) As far as NT 4.0 is concerned I have not debugged or reviewed that code in years but I do not recall it being that much different except for the default time changing to 30 days. As far as netlogon debug logging you want at a minimum NL_MISC. I normally user 0x2000 to get the standard output and 0x2080 and then work up from there on the more verbose logging. Of course it does help to look at the source and see what flag they logged a particular event against but you can get there with trial and error. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ulf B. Simon-Weidner Sent: Thursday, June 01, 2006 12:22 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Probably more than you ever wanted to know about machine account password changes. Not at all - my brain sucks that stuff in. To be complete: was it the same with NT4, or was there such a thing as half-time renewal? What's the required level of netlogon-debug-logging? 1 enough? Don't you want to share this info on a blog? It's great, and we could give you credits and avoid typing whenever there's a discussion of that topic. Might be worth to include the imaged-client and reset password on a computer account discussions. Gruesse - Sincerely, Ulf B. Simon-Weidner Profile Publications: http://mvp.support.microsoft.com/profile=35E388DE-4885-4308-B489-F2F1214 C811 D Weblog: http://msmvps.org/UlfBSimonWeidner Website: http://www.windowsserverfaq.org -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, May 31, 2006 5:57 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Machine Psswd Age Just to add some additional detail. The machine account password is actually changed every 30 days plus a random offset of up to 24 hours so ~31 days as a maximum by default with Windows 2000 and later OSes. This is done by the netlogon service on the client and there is a scavenger thread that wakes up and performs the reset once this threshold is met. If the it cannot reach a Domain Controller it will go back to sleep and wake up every 15 minutes to try and reset the password. You can see this behavior by turning up netlogon debug logging and see the following output: Success: 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/25 14:48:22 [SESSION] NORTHAMERICA: NlChangePassword: Flag password changed in LsaSecret 05/25 14:48:23 [SESSION] NORTHAMERICA: NlChangePassword: Flag password updated on PDC 05/25 14:48:23 [MISC] NlWksScavenger: Can be called again in 30 days (0x9a7ec800) Failure: 05/16 01:13:24 [SESSION] NORTHAMERICA: NlChangePassword: Doing it. 05/16 01:13:24 [SESSION] NORTHAMERICA: NlSessionSetup: Try Session setup 05/16 01:13:24 [SESSION] NORTHAMERICA: NlDiscoverDc: Start Synchronous Discovery 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlDiscoverDc: Cannot find DC. 05/16 01:14:05 [CRITICAL] NORTHAMERICA: NlSessionSetup: Session setup: cannot pick trusted DC 05/16 01:14:05 [MISC] Eventlog: 5719 (1) NORTHAMERICA 0xc05e c05e ^... 05/16 01:14:05 [SESSION] NORTHAMERICA: NlSessionSetup: Session setup Failed 05/16 01:14:05 [MISC] NlWksScavenger: Can be called again in 15 minutes (0xdbba0) Random Offset: 05/25
RE: [ActiveDir] New DC can't find the machine account
WTF is QIP anyway? Ive heard of BIND and Windows DNS. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, June 07, 2006 10:54 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] New DC can't find the machine account Ihave had really decent experiences with QIP. I have actually been happier with deploymentswith QIP on UNIX than Windows DNS. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al Mulnick Sent: Friday, June 02, 2006 10:17 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account I find myself agreeing with Deji, but I'll go one or two or threefurther. 1) QIP? My experience with QIP has not been favorable in past accounts, but I'll assume it works for you. I've had way to much time invested that I'll never get back with QIP/AD integration. I'm not saying it won't work, because it can, but it's way more complex/expensive than it's worth to me. 2) In the case of AD, unless you have a really good technical and/or policy reason not to, do like Deji says and make your AD dependent on an internal DNS host that supports what it needs. Like DDNS and permissions (security). Best bet here is to make AD the master and let QIP be secodary if a compromise is needed. 3) Get joe tosend pictures of himself as a Cher look-alike to Deji. Why?Just because I'm feeling particularly mean this morning.I like Deji, but I think he needs some abuse for not having been around for a while.(I know it's extreme, but it's for your own good Deji.) EG Al On 6/2/06, [EMAIL PROTECTED] [EMAIL PROTECTED] wrote: In this case, you want to point the new DC to an internal DNS server authoritative for the domain. To close this - and answer joe's question - yes, it's DNS, silly. It's always DNS :). Slow startup, slow GP processing, slow desktop showing up, slow coffee maker, slow uplifting of skirts - always DNS. Choose a working INTERNAL DNS server, make netlogon dependent on DNS and 99% of the trouble is resolved :o Sincerely, _ (, /|/) /) /) /---| (/___ ___// _ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Thu 6/1/2006 7:52 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: Mark: why would this be expected? Al: Who is doing DNS for this DC in question? If you ping a domain resource from that DNS server, does it resolve correctly? Deji, DNS for this test domain is provided by our datacom people. It's Lucent's QIP server on a old slow NT box. According to the guy who manages it he's a couple of major releases behind on the software. We're also seeing some other issues with machines in the child domain to this domain having problems registering their DNS records. Machines Existing DCs can be resolved and accessed - which confuses me with the netlogon pausing as the DC when booting should, in my mind, query the other dc for it's account information - not itself. al From: [EMAIL PROTECTED] on behalf of Mark Parris Sent: Thu 6/1/2006 7:11 AM To: ActiveDir.org Subject: Re: [ActiveDir] New DC can't find the machine account Did you see my post last night - this is expected behaviour? -Original Message- From: Al Lilianstrom [EMAIL PROTECTED] Date: Thu, 01 Jun 2006 08:13:20 To:ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] New DC can't find the machine account [EMAIL PROTECTED] wrote: I bet you one crate to a bottle of German beer that your DNS is out to lunch. Every time when I've seen this, it always goes away by kicking a DNS server somewhere. Check your DNS servers. I talked to the networking people and the DNS server that is used for our test domains is a couple of major releases out of date and running on really crap hardware. Building him a new server... Thanks for all the help. al Sincerely, _ (, /|/) /) /) /---| (/___ ___// _ //_ ) /|_/(__(_) // (_(_)(/_(_(_/(__(/_ (_/ /) (/ Microsoft MVP - Directory Services www.readymaids.com http://www.readymaids.com - we know IT www.akomolafe.com http://www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon From: [EMAIL PROTECTED] on behalf of Al Lilianstrom Sent: Wed 5/31/2006 7:53 AM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir]
RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups?
Well for normal AD there is no reason to handle them unless for some reason you don't want them anymore. As for the ADC... It is a temporary POS... I am not sure how much changing of the environment I would do to support it. I would start looking at telling it to stop dorking with things. -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Freddy HARTONOSent: Wednesday, June 07, 2006 10:54 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Interesting read... So since i have thousands of groups with pretty long names - any suggestions on how do you handle long groupnames? Do you create a short groupname and put the long description on it...? Thank you and have a splendid day! Kind Regards, Freddy Hartono Group Support Engineer InternationalSOS Pte Ltd mail: [EMAIL PROTECTED] phone: (+65) 6330-9785 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Thursday, June 08, 2006 9:50 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Here is the most recent... From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joeSent: Monday, January 23, 2006 11:35 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Net localgroup limitation? According to the schema the sAMAccountName must be 0-256, however, this is one of the famous SAM Attributes, the rules of the schema are not necessarily the rules that apply to the SAM Attributes see http://blog.joeware.net/2006/01/21/222/- which is a blog article titled "But the schema says description is multivalued." The sAMAccountname is fun because it depends on the object type it is applied to. For instance a user objectpeaks out at 20 even with LDAP. Localgroup names I believe could go to 256 characters if you knew how. You can definitely go that high on the local SAM on workstations. Even with NET.EXE you can create and manipulate domain local groups with greater than 20 characters. In fact I just doublechecked and easily handled creating, populating, and deleting a group with 100 characters. Thepinch though is when you are trying to add that group to another group. NET.EXE screws that up and throws the usage screen. However, that doesn't mean it can't be done and that the API doesn't handle it. If you grab my LG tool from the website (http://www.joeware.net/win/free/tools/lg.htm) it will do it and I can guarantee it uses the LEGACY NET API.I wrote the maincode used in that tool initially back in about 1997 or 1998 or so. I do recall in the early days of W2K some kind of an issue with group names though while importing them into AD from NT4 Domains. If the group was too long it would instead get a random sAMAccountName which I thought was quite fun. I ended up having to put in a check script after every migration to make sure that cn's and SAM Names matched up. Interestingly enough, MS has put an attribute into AD to hint at some point upcoming support for turning off the LANMAN support which artifically limits say a userid SAM Name to 20 characters called uASCompat. However, currently that attribute seems to be entirely read-only. I have not been able to find a way to change it the various times I have poked through the source code. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Free, BobSent: Wednesday, June 07, 2006 4:57 PMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Look for the "Net localgroup limitation?" thread in January of this year, particularly joe's message of 1/23/2006 8:35 PM Also his message of 2/20/2005 8:37 AM in thread "samAccountName attribute length" Finally his listing from lmcons.h header file in "character limit for sAMAccountNames" from 3/8/2004 7:09 PM Sorry I don't have the links handy, those are from a search of my personal archives. HTH From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Al MulnickSent: Tuesday, June 06, 2006 6:25 AMTo: ActiveDir@mail.activedir.orgSubject: Re: [ActiveDir] OT: Samaccountname attribute (20 char limit) not applicable to gr oups? Jorge, if you happen to find that in the archives, please post the link. A quick search of the net brings back some items that seem to indicate that greater than 20 could result in a problem with some directory sync tools. samaccountname is listed as being expected to be 20 chars. It doesn't differentiate between groups and users that use the samaccountname. That just "seems" like a recipe for issues, but if you say it can be 256 without issue, then (I know Joe, you're using 64 and so did
[ActiveDir] OT: Security Policy Thoughts
Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
RE: [ActiveDir] OT: Security Policy Thoughts
My suggestion is that you implement 802.1x port auth to implement port based authentication. You can use this to implement guest vlans with the policy routing you describe. Isnt the Cisco VPN a MSI? Use Group Policy or SMS if you have it. You can do some NAC stuff with Cisco VPN as well as the personal firewall built into it. I dont see how you plan to prohibit OS X at least put it on the guest vlan if you must, but, realize that the marketing, pr, etc people may live in a Mac world. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Noah Eiger Sent: Thursday, June 08, 2006 12:16 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] OT: Security Policy Thoughts Hi: I am facing some IT policy questions and wanted to get some perspectives. In each of these areas, I am trying determine how restrictive I need to be. The client has four sites connected over high-speed links. I have good backing from management but will undoubtedly get resistance on some of these. The client is small, under 200 employees with most in one office. Some small field offices are not managed (i.e., have workgroup networks, often with a small server, but no AD). There are no SOX requirements and the data are not sensitive (e.g., no credit cards). Almost entirely Windows XP; all DCs run W2k3. Any thoughts on these topics welcome. Connecting to the wired network. They do not run any IDS or machine-based authentication. Given that, written policy carries some weight. I want to require all non-domain machines to connect only to a public VLAN that goes only to the Internet. I would apply this even to staff personal computers, those of contractors (including me), and machines from those field offices that are not on the domain. VPN. They run a Cisco VPN. I want to distribute the client only to domain-based machines. Others want the client for their home computers, etc. Other Operating Systems. I dont want to allow other OSs on the network, unless we manage them. But what is the threat posed by a Linux or OS X box on the network? As always, many thanks. -- nme -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.1.394 / Virus Database: 268.8.2/356 - Release Date: 6/5/2006
